#!/bin/bash

# create a temporary directory for an SSH key
SSH_KEY_DIR=$(mktemp -d)

# if no path to the key exists, create a temporary one
if [[ $SSH_KEY_PATH == "" ]]; then
  SSH_KEY_PATH=$SSH_KEY_DIR/id_ed25519
  ssh-keygen -q -t ed25519 -N "" -f $SSH_KEY_PATH
fi

vault ssh \
  -no-exec \
  -field=signed_key \
  -mode=ca \
  -role="$VSSH_ROLE" \
  -valid-principals="$VSSH_PRINCIPALS" \
  -public-key-path=$SSH_KEY_PATH.pub \
  -private-key-path=$SSH_KEY_PATH \
  localhost > $SSH_KEY_PATH.pub.signed
chmod 400 $SSH_KEY_PATH.pub.signed

# [DEBUG]
ssh-keygen -L -f $SSH_KEY_PATH.pub.signed

# execute the SSH
ssh -i $SSH_KEY_PATH -i $SSH_KEY_PATH.pub.signed $@

# delete the signed key and temporary key if exists
rm -f $SSH_KEY_PATH.pub.signed
rm -rf $SSH_KEY_DIR